App Support.

We're here to help.

Setting up an OpenVPN server with Ubiquiti EdgeRouter (EdgeOS) and Viscosity

Setting up an OpenVPN server with Ubiquiti EdgeRouter (EdgeOS) and Viscosity

Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.

Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.

This guide will walk you through the steps involved in setting up an OpenVPN server on Ubiquiti EdgeRouter (EdgeOS) that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well. This guide was written using a Ubiquiti EdgeRouter Lite, but should work with any Ubiquiti device running EdgeOS v1.9 or later.

This guide won't treat any issues related to setting up your router. A router running EdgeOS is likely to be acting as a router itself, so we will assume that the Ubiquiti EdgeRouter is directly connected to the internet with its own IP address.

Preparation

For this guide, we assume:

You have an already functional Ubiquiti EdgeRouter running EdgeOS (also known as "EdgeMax Software") v1.9 or later.

Your router has been setup with at least one WAN and one LAN interface

You are connected with your Ubiquiti EdgeRouter via a LAN connection.

Only the initial setup wizard for setting up your router with a WAN and LAN interface has been run.

If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).

Support

Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.

Getting Started

We will assume that you have already set up your network interfaces as such:

'Internet' - eth0 or pppoe0 connected to the internet

'Local' - eth1 connected to your local home network

Creating Certificates and Keys

You can use the scripts provided by Easy-RSA to generate the required certificates and keys on your client device. Please follow the steps in our Creating Certificates and Keys.

Transferring Files to the Server

In order to use the credential and conf files you have created to set up your OpenVPN server, you need to transfer them to the server. For OpenVPN to be able to access these files, we need to copy them to the directory /config/auth/. The method which you use will depend very much on your particular setup. If you followed the steps to generate the certificates, your files should be on your client device in the directory: ~/Documents/Viscosity/client/keys/ (or on Windows: C:\Users\your-account-name\Documents\Viscosity\client\keys\).

Whichever method you choose to transfer these files, be very careful that you use an encrypted method (such as SFTP or SCP). There are a number of GUI applications that you can use to securely transfer these files to the server: Cyberduck, Transmit and WinSCP to name just a few. Alternatively, if you have physical access to the server and client, perhaps transfer them via a USB drive. Just make sure you don’t transfer them over the internet unencrypted.

Windows

OpenVPN Server Configuration

At the time of writing, EdgeOS does not include a GUI interface for setting up an OpenVPN server like it does for other VPN protocols. Fortunately however, all the tools are available on the router to be able to easily configure an OpenVPN server via command line.

You can access the command line interface of your router in multiple ways. For the purpose of this guide we will be using the command line interface included in the web portal. To access this, open a web page and navigate to the IP Address of your EdgeRouter device (https://192.168.1.1 by default). Login, then click the CLI button towards the top right hand corner of this page. This will open a black background CLI window in your browser. You can login to this using the same details you used to login to the EdgeOS web page.

For more advanced users, this guide can also be followed by accessing the device via Console or SSH.

There are a number of different settings we need to customize in our OpenVPN server configuration. In the terminal, enter configuration mode by typing:

configure

You should see the prompt change from $ to #. If you make a mistake entering the following configuration commands, you can remove a previously entered command by repeating the it, but replacing the word 'set' at the start with the word 'delete'.

Paste the following into the terminal window:

# Configure this OpenVPN instance to run as the VPN server
set interfaces openvpn vtun0 mode server
# The OpenVPN server needs to know the location of the Diffie Hellman file
#NOTE: Depending on how you generated your keys, this file name might be 'dh.pem' instead
set interfaces openvpn vtun0 tls dh-file '/config/auth/dh2048.pem'
# Our VPN connection will be transported over UDP
set interfaces openvpn vtun0 openvpn-option "--proto udp"
# The server needs to keep a record of client virtual IP addresses so that they
# can be reassigned if the server goes down
set interfaces openvpn vtun0 openvpn-option "--ifconfig-pool-persist ipp.txt"
# To ensure that each side of the VPN knows if the connection has been severed,
# we want to ping each side every 10 seconds. If either side fails to recieve a
# ping within 2 minutes, then it will assume the other side is down
set interfaces openvpn vtun0 openvpn-option "--keepalive 10 120"
# There can be security issues if you run the OpenVPN server as root, so we will
# downgrade the user and group
set interfaces openvpn vtun0 openvpn-option "--user nobody --group nogroup"
# To avoid attempting to access resources that may no longer be accessible on
# restart
set interfaces openvpn vtun0 openvpn-option "--persist-key --persist-tun"
# To write (and rewrite) a short summary of current VPN connections every minute
# to a file
set interfaces openvpn vtun0 openvpn-option "--status openvpn-status.log"
# The verbosity of this connection logging (displayed in the Viscosity 'Details'
# window) can range from 0 (silent) to 9 extremely verbose. We will use the
# default of 3
set interfaces openvpn vtun0 openvpn-option "--verb 3"
# To prevent more than 10 duplicates of the same log message in a row from
# flooding the Viscosity log
set interfaces openvpn vtun0 openvpn-option "--mute 10"
# The credential files
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/server.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/server.key'
# The server will use the default OpenVPN port (1194)
set interfaces openvpn vtun0 openvpn-option "--port 1194"
# We need the VPN to create a tun network interface through which we can
# route all our traffic:
set interfaces openvpn vtun0 openvpn-option "--dev vtun0"
# The VPN requires a private IP subnet. We will use the default OpenVPN IP
# subnet
set interfaces openvpn vtun0 server subnet '10.8.0.0/24'
# We want VPN clients connected to this server to be able to access any hosts
# accessible on your home network. We are assuming that your local network
# subnet is 192.168.0.x/24. If it is something else, you will need to change the
# IP address in the command below.
set interfaces openvpn vtun0 server push-route 192.168.0.0/24
#Set the OpenVPN server to push a DNS server to clients. This can be your local DNS
#which we setup later, an external DNS of your choice, or you can omit this command
#to setup DNS on the client only.
set interfaces openvpn vtun0 server name-server 192.168.1.1
# Lastly, we want to allow hosts on the home network to be able to see VPN
# clients connected to the OpenVPN server
set interfaces openvpn vtun0 openvpn-option "--client-to-client"
#Save and end the configuration
commit
save
exit

Pay special attention to the IP address in the set interfaces openvpn vtun0 server push-route 192.168.0.0/24. Ensure that this subnet matches your home/office LAN IP subnet. If you are not setting up this VPN server to access your home/office LAN, then you can skip this line altogether.

We are now done with command line, everything else can be done from the EdgeOS GUI via a web browser. Next, login to your route via your browser of choice, and you should see the new OpenVPN interface on the Dashboard.

Firewall Rules

If you are using the default firewall setup, we only need to set up a couple of things. First, we need to enable NAT masquerade for the VPN interface. To do this, open a web browser, navigate and login to your EdgeRouter device. Next, click the Firewall/NAT tab at the top of the window, then select the NAT tab that appears underneath. Click Add Source Nat Rule and configure the following options:

Description - OpenVPN MASQ eth0

Select "Use Masquerade"

Select "All protocols"

Outbound Interface - eth0

Src Address - 10.8.0.0/24

Then click Save. We need to add a rule for each interface we want OpenVPN clients to be able to communicate with, so at minimum we need to add one more. Click Add Source Nat Rule again and configure the following options:

Description - OpenVPN MASQ eth1

Select "Use Masquerade"

Select "All protocols"

Outbound Interface - eth1

Src Address - 10.8.0.0/24

Then click Save.

Next we need to configure a firewall rule to allow us to connect to the OpenVPN server when we're outside the local network, like on the road or at a coffee shop. To do this, click the Firewall/NAT tab, then click the Firewall Policies tab which appears underneath

You should see a rule-set here named WAN_LOCAL. We want to add a new rule to this, so click Actions on the right and select Edit Ruleset. In the new window that appears, click Add New Rule and fill in the following details:

General Tab:

Description - Allow external connections to OpenVPN

Action - Accept

Protocol - UDP

Destination Tab:

Port - 1194

Click Save, then click Save Ruleset. You should now be able to connect to your OpenVPN server from an external location.

DNS Server

If you are planning on encrypting all network traffic through your VPN server then it is recommended to enable your own DNS server. EdgeOS has a DNS forwarder built in which we can use to provide our own DNS server for the VPN connection, to prevent DNS related attacks.

If your router is already setup for your local network (and you entered the command to use your router as DNS for OpenVPN), it is extremely easy to reuse your local DNS setup.

To do this, open a web browser, navigate and login to your EdgeRouter device. Click the Services tab, then click the DNS tab which appears underneath. Click Add Listen Interface, select vtun0 in the new drop down that appears, then click Save underneath.

Setting Up Viscosity

The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Mac version, pointing out any differences with the Windows version as they arise.

If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.

Click the Viscosity icon in the menu bar (Windows: system tray) and select 'Preferences...':

Mac

Windows

This shows you the list of available VPN connections. We assume you recently installed Viscosity, so this list is empty. Click on the '+' button and select 'New Connection':

Configuring the Connection

You will now need to set the connection parameters as outlined below:

In the General tab, replace the connection name with your desired name for the connection, for example "DemoConnection".

Replace the "Address" field with the IP address needed to connect to the server. If your EdgeRouter is directly reachable from the internet this will be its IP address. If the server is behind a router and port-forwarding has been set up this should be the external IP address of your router (please see the section above).

Click the Authentication tab.

Click the Select ... button next to the CA option. Select the ca.crt file you created earlier (Mac: ~/Documents/Viscosity/client/keys/, Windows: C:\Users\your-account-name\Documents\Viscosity\client\keys\)

Click the Select ... button next to the Cert option. Select the client1.crt file you created earlier

Click the Select ... button next to the Key option. Select the client1.key file you created earlier

Click on the Networking tab and enter "10.8.0.1" into the "Servers" field in the DNS Settings section.

Click the Save button to save your changes.

(Optional) Allowing Access to the Internet

By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:

Double-click on your connection in the Viscosity Preferences window to open the connection editor

Click on the Networking tab.

Click the "All Traffic" drop down and select the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.

Click the Save button.

Connecting and Using Your VPN Connection

You are now ready to connect. Click on the Viscosity icon in the menu bar (Windows: system tray) and select 'Connect DemoConnection'. That's it, you should see a notification that you're now connected!

To check that the VPN is up and running, you can use the Viscosity details window. Click the Viscosity menu bar (Windows: system tray) icon and select 'Details...'. This will bring up the details window.

This window will show you the traffic passing through the VPN connection.

Accessing Network Resources

Once connected to your VPN, you can access your files or other services by using the LAN IP address you would use if you were connected to them via your home/office local network.

Connect via Mac

To connect to a shared network directory from your Mac connected to the VPN:

Open a Finder window

Click Go on the menu bar and select "Connect to Server..."

In the Server Address, type the LAN IP address of your network resource (something like 192.168.0.x) and click Connect.

Enter the username and password for the network resource

Select the shared volume you want to access and click OK

Network resources you would normally find appearing in the Finder sidebar will not appear when connected to via the VPN. You can find connected network resources in the Computer directory. In a Finder window, press ⌘ + shift + c to jump to the Computer directory.

Connect via Windows

To connect to a shared network directory from your PC connected to the VPN:

Type the \\lan-ip-address into the Search the web and Windows box in the taskbar and press Enter (something like \\192.168.0.x)

Enter the username and password for the network resource

You will then see the folders shared by this host

That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!